Auth0 Enhanced Security

Auth0 Multifactor Authentication

Hello and welcome to another Auth0 video tutorial. My name is Ado and today we will be taking a look at enhanced security through multifactor authentication.

Username and password authentication has been around for a very long. It is a well established method for giving users access to protected resources. This method of authentication is everywhere: in banking, ecommerce, education and companies both large and small. In recent years, this method of authentication has proven to be weak for multiple reasons:

Users tend to reuse the same password across multiple services. This means that you can follow all of the security best practices and if a service unrelated to your business becomes compromised and leaks their user accounts, attackers could gain access to your systems. This creates a single point of failure and violates the defense-in-depth concept that aims to provide multiple layers of security and information assurance. Aside from password reuse, users tend to choose weak passwords or even worse write their passwords on a sticky note and leave it on their desk.

To combat this, companies started enforcing various password policies. Your password must be at least eight characters long, with at least one capital letter, one number, and a symbol. Mandatory password changes were also implemented - so users would have to change their password every one to three months for example. Some organizations went even further, preventing the user from using the last 5 or 10 passwords, blacklisting common passwords such as 123456 or letmein or preventing the password from being the users name.

These methods did have the benefit of enforcing better security practices, but they were also anti-user. The user experience greatly suffered which can lead to a decrease in adoption or engagement with a product or service. That’s not good either.

At Auth0 we make identity and security frictionless. Multifactor authentication adds an additional layer of security and enforces the defense-in-depth concept.

I’ve written a simple app here that requires me to login with a username and password. I’ll just login to show you that it works - and then i’ll log out. Right now, this app does not have any enhanced security features enabled. If someone else had my credentials, they could login and impersonate me. Let’s fix that.

Auth0 allows us to easily add multifactor authentication to our applications by simply enabling the service in the management dashboard. Multifactor or two factor authentication works by requiring the user to provide an additional set of credentials, referred to as a one-time passcode, before they are granted access to the system. There are of course other methods of multifactor authentication physical tokens but we’ll omit those for now. Let’s enable this service for our application.

I’ll head over to the management dashboard and navigate to the multifactor auth tab. From here, you have a couple of different options. You can enable multifactor auth via push notifications or SMS text messages. Let’s enable push notifications. We’ll use the Auth0 Guardian app as our authenticator, which is available for both iOS and Android devices, but you could also use other apps such as the Google Authenticator, or just rely on SMS messages to get the one-time passcode.

Flipping the switch is all we need to do. The next time I attempt to login, I will be required to setup a 2nd factor of authentication which I will need for any subsequent logins. Let’s go through this process as well. I’ll login to the app and now I am presented with a new screen informing me about the newly required multifactor authentication process.

I already have the Auth0 guardian app download on my phone, so I’ll simply open it and will opt to scan the QR code presented on the screen. Once that is done, I will be given further instructions on how I can recover my 2nd factor and also a backup password in the event that I do not have access to my phone.

Once this setup process is done, I will receive a push notification asking me whether I want to allow the login attempt I made earlier to go through. I have two options here, I can either either hit accept or deny or if I wanted to I could also type in the code provided. I’ll choose to accept the login request and right away I’ll be logged into my account.

To show the subsequent multifactor authentication flow, I’ll log out and log back in. Since I already setup the 2nd factor earlier, I’ll just receive the request in the Guardian app asking me whether I want to approve or deny the login request.

In this example, we used the Auth0 Guardian app. The flow would have worked similarly for other authenticator apps such as the Google Authenticator. The Guardian app provides the friction-free multifactor experience and is my recommendation.

Traditional username and password authentication still plays a large role in managing modern identity. Enhanced security features like multifactor authentication help secure user accounts without hindering the user experience.

Sign up for a free Auth0 account today and give your users a peace of mind when it comes account security.